Arvutiteaduse instituut
  1. Kursused
  2. 2022/23 sügis
  3. Infoturve (MTAT.07.028)
EN
Logi sisse

Infoturve 2022/23 sügis

  • Home
  • Lectures & labs
  • Homework & course rules
  • Exam
  • News
  • Links

Homework #3

Table of contents

  • Written tasks (2p)
    • Submission form
  • Hash task (2p)
  • KeePassXC task (2p)



Deadline: 20th of November (the solution has to be submitted before Monday)

Recommended reading

  • Authentication
    • The secret to online safety: Lies, random characters, and a password manager (written in 2013, so software recommendations are no longer valid)
    • How to: Use KeePassXC

Written tasks

  1. How would it be possible to attack a two-factor authentication system of a cryptocurrency exchange that relies on a password and a one-time code delivered via SMS? The goal of an attacker is to do a transaction without the victim noticing an attack before it is too late. Lets assume that this requires two unique one-time codes delivered over SMS, one for logging in and the second for confirming a transaction. Getting just one code is not sufficient. Give a brief step-by-step description of the attack, which is written down as an ordered list of steps. All relevant steps for the attack to succeed must be listed.

    Restrictions:The attacker is not able to attack the Bitcoin exchange and not able to get access to the phone containing the SIM card. However, an attacker may be able to message the user or infect the computer. You will not get full points for a vague answer, the steps for the successful attack have to be clearly stated. Hint: there are multiple correct answers. Read Man in the Browser Attack vs. Two Factor Authentication (2012) in order to get ideas (do not copy technical details as they may no longer be valid). (2p)

Submission form for the written tasks

The solution should be submitted through this website. The solution can be submitted once you have logged in with the university credentials. We accept solutions only in .pdf format if it is not stated otherwise in the homework task. The solutions of the practical tasks have to submitted separately to their corresponding input forms (see below).

We would like to get feedback about the difficulty of the homework and therefore we would kindly ask you to write in the comments box an estimate of how much time it took to solve the homework tasks.

11. Homework 3 - written tasks (PDF)
Sellele ülesandele ei saa enam lahendusi esitada.

Hash breaking task

Each student has a pseudonym for the information security course in this web site. The pseudonym was randomly connected to a hash value. Your task if to find the input that gave he hash value that is connected with your pseudonym and also the name of the hash function which was used to create that hash value.

This task illustrates why passwords have to be hashed and salted when stored in a database. The list of hashes for this task can be found from here: hash values and pseudonyms. (2p) 

 Hints and suggestions:
  • You do not need any additional software to solve this task. You do not have to break that hash value on your own. However, you will have to find other means to find the input. Think back to the authentication lecture and try to remember what the attackers are doing if a database is breached and no salting was used.
  • Make sure that you will be using the hash value that was assigned to your pseudonym. The solutions are graded automatically, which means that if you solve the wrong hash value then you will get 0 points.
  • Information about the common hash functions (e.g., the length of the hash value) can be found from the following Wikipedia page: List of cryptographic hash functions
  • Hash values are usually encoded using hex. In case the length of the hash is known (in number of bits), then it is easy to find its length in hex. To do that, one has to divide the number of bits with eight (to get the number of bytes) and then multiply the result with two (to represent one byte two hex symbols are required).
  • You may need to use a search engine to find the solution. Thus, it is good to know some tricks that helps you to find exact matches for your queries: Google Search Tips You'll Want to Learn

The solution has to be in a simple text file (with .txt extension, not in a .docx file!!!) that contains only two rows. The first row must only contain the found input value. The second row must only contain the name of the hash function. In case you add any additional information or do not use the required file type or file format then the automatic grading script can give you 0 points. In case you are using Windows then you can create a simple text file with the software Notepad. 10. Homework3: hash breaking (.txt file)

Sellele ülesandele ei saa enam lahendusi esitada.

KeePassXC task

Use KeePassXC to create a password database file and submit this file (.kdbx file) below. You will find some background information from the lecture notes. The following guide can also help to solve the task: How to: Use KeePassXC. (2p)

The solution will have to follow the following guidelines:

  • The master password for the database has to be 1234567890. This is deliberately too short to make verifying the solutions easier. You will get 0 points if a different master password is used.
  • Enter a new row / entry to the database. The entry's name (title) must be your pseudonym for the information security course and username must also be your pseudonym.
  • Password must be randomly generated and 31 characters long. It must include characters from at least these classes: lower and upper case letters, numbers.
9. Homework3: KeePassXC (.kdbx file)
Sellele ülesandele ei saa enam lahendusi esitada.
  • Arvutiteaduse instituut
  • Loodus- ja täppisteaduste valdkond
  • Tartu Ülikool
Tehniliste probleemide või küsimuste korral kirjuta:

Kursuse sisu ja korralduslike küsimustega pöörduge kursuse korraldajate poole.
Õppematerjalide varalised autoriõigused kuuluvad Tartu Ülikoolile. Õppematerjalide kasutamine on lubatud autoriõiguse seaduses ettenähtud teose vaba kasutamise eesmärkidel ja tingimustel. Õppematerjalide kasutamisel on kasutaja kohustatud viitama õppematerjalide autorile.
Õppematerjalide kasutamine muudel eesmärkidel on lubatud ainult Tartu Ülikooli eelneval kirjalikul nõusolekul.
Courses’i keskkonna kasutustingimused